TweetDeck XSS vulnerability renders users' feeds NSFW

TweetDeck, an extremely popular application for using Twitter, is sending people messages that read "yo," "penis," and other silly phrases due to a security vulnerability in the app. It also caused other users to automatically retweet messages that they didn't manually retweet.

The reason for these and other bizarre messages is what’s called a cross-site scripting, or XSS, vulnerability with TweetDeck’s Web app and its extension in the Google Chrome browser. Before reading any further, if you use TweetDeck through either of these apps, you should go log out and revoke its access from your Twitter settings, which you can do here.

If you're using @TweetDeck, close it NOW. There's a killer XSS vulnerability in the wild and in use. Wait for them to give the all clear.

Internet and social media expert Tom Scott, whose tweet is above, went on to describe the scripting issue “an absolutely staggering security hole” in a blog post. He explained that the vulnerability could allow hacker to take actions ranging from making weird messages appear (as seen above) to potentially gaining complete control of someone’s account.

One user figured out how to send a tweet that would automatically be retweeted by all followers using vulnerable TweetDeck apps. The tweet sparked an automated chain reaction that caused it to accumulate more than 40,000 retweets in about 20 minutes. The number of retweets has been slowly declining as more inadvertent retweeters undo the action.

Twitter, which purchased TweetDeck in 2011 for about $40 million, initially said that it had patched the vulnerability.

“We're aware of the issue, and it is now fixed,” Twitter spokeswoman Rachel Millner told the Daily Dot in an email. “Users should log out of TweetDeck and log back in to make sure the fix is fully applied.”

Soon after, however, Millner followed up by sending a link to this tweet as an update:

We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up.